- dtucker@cvs.openbsd.org 2006/08/14 12:40:25

[servconf.c servconf.h sshd_config.5] Add ability to match groups to Match keyword in sshd_config. Feedback djm@, stevesk@, ok stevesk@.
author: Damien Miller <djm@mindrot.org> 2006-08-19 00:23:15 +1000
committer: Damien Miller <djm@mindrot.org> 2006-08-19 00:23:15 +1000
commit: 565ca3f60058f22d083572930833aaff2292ac20 (patch)
tree: b3e6cb3be750d8492e987a26bba0a01d5df825c7 /servconf.c
parent: 1c89ce074920a11ac1eb2093867e50c869d05480 (diff)
1 files changed, 55 insertions, 1 deletions
diff --git a/servconf.c b/servconf.c
index 5884b95be..1f80de22d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.164 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */
 /*
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
@@ -16,6 +16,7 @@
 #include <sys/socket.h>
 #include <netdb.h>
+#include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -37,6 +38,7 @@
 #include "mac.h"
 #include "match.h"
 #include "channels.h"
+#include "groupaccess.h"
 static void add_listen_addr(ServerOptions *, char *, u_short);
 static void add_one_listen_addr(ServerOptions *, char *, u_short);
@@ -497,6 +499,51 @@ add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
 */
 static int
+match_cfg_line_group(const char *grps, int line, const char *user)
+{
+        int result = 0;
+        u_int ngrps = 0;
+        char *arg, *p, *cp, *grplist[MAX_MATCH_GROUPS];
+        struct passwd *pw;
+        /*
+         * Even if we do not have a user yet, we still need to check for
+         * valid syntax.
+         */
+        arg = cp = xstrdup(grps);
+        while ((p = strsep(&cp, ",")) != NULL && *p != '\0') {
+                if (ngrps >= MAX_MATCH_GROUPS) {
+                        error("line %d: too many groups in Match Group", line);
+                        result = -1;
+                        goto out;
+                }
+                grplist[ngrps++] = p;
+        }
+        if (user == NULL)
+                goto out;
+        if ((pw = getpwnam(user)) == NULL) {
+                debug("Can't match group at line %d because user %.100s does "
+                    "not exist", line, user);
+        } else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
+                debug("Can't Match group because user %.100s not in any group "
+                    "at line %d", user, line);
+        } else if (ga_match(grplist, ngrps) != 1) {
+                debug("user %.100s does not match group %.100s at line %d",
+                    user, arg, line);
+        } else {
+                debug("user %.100s matched group %.100s at line %d", user,
+                    arg, line);
+                result = 1;
+        }
+out:
+        ga_free();
+        xfree(arg);
+        return result;
+}
+static int
 match_cfg_line(char **condition, int line, const char *user, const char *host,
    const char *address)
 {
@@ -527,6 +574,13 @@ match_cfg_line(char **condition, int line, const char *user, const char *host,
                        else
                                debug("user %.100s matched 'User %.100s' at "
                                    "line %d", user, arg, line);
+                } else if (strcasecmp(attrib, "group") == 0) {
+                        switch (match_cfg_line_group(arg, line, user)) {
+                        case -1:
+                                return -1;
+                        case 0:
+                                result = 0;
+                        }
                } else if (strcasecmp(attrib, "host") == 0) {
                        if (!host) {
                                result = 0;
author	Damien Miller <djm@mindrot.org>	2006-08-19 00:23:15 +1000
committer	Damien Miller <djm@mindrot.org>	2006-08-19 00:23:15 +1000
commit	565ca3f60058f22d083572930833aaff2292ac20 (patch)
tree	b3e6cb3be750d8492e987a26bba0a01d5df825c7 /servconf.c
parent	1c89ce074920a11ac1eb2093867e50c869d05480 (diff)

diff --git a/servconf.c b/servconf.c index 5884b95be..1f80de22d 100644 --- a/servconf.c +++ b/servconf.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: servconf.c,v 1.164 2006/08/03 03:34:42 deraadt Exp $ */	1	/* $OpenBSD: servconf.c,v 1.165 2006/08/14 12:40:25 dtucker Exp $ */
2	/*	2	/*
3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4	* All rights reserved	4	* All rights reserved
@@ -16,6 +16,7 @@
16	#include <sys/socket.h>	16	#include <sys/socket.h>
17		17
18	#include <netdb.h>	18	#include <netdb.h>
		19	#include <pwd.h>
19	#include <stdio.h>	20	#include <stdio.h>
20	#include <stdlib.h>	21	#include <stdlib.h>
21	#include <string.h>	22	#include <string.h>
@@ -37,6 +38,7 @@
37	#include "mac.h"	38	#include "mac.h"
38	#include "match.h"	39	#include "match.h"
39	#include "channels.h"	40	#include "channels.h"
		41	#include "groupaccess.h"
40		42
41	static void add_listen_addr(ServerOptions , char , u_short);	43	static void add_listen_addr(ServerOptions , char , u_short);
42	static void add_one_listen_addr(ServerOptions , char , u_short);	44	static void add_one_listen_addr(ServerOptions , char , u_short);
@@ -497,6 +499,51 @@ add_one_listen_addr(ServerOptions options, char addr, u_short port)
497	*/	499	*/
498		500
499	static int	501	static int
		502	match_cfg_line_group(const char grps, int line, const char user)
		503	{
		504	int result = 0;
		505	u_int ngrps = 0;
		506	char arg, p, cp, grplist[MAX_MATCH_GROUPS];
		507	struct passwd *pw;
		508
		509	/*
		510	* Even if we do not have a user yet, we still need to check for
		511	* valid syntax.
		512	*/
		513	arg = cp = xstrdup(grps);
		514	while ((p = strsep(&cp, ",")) != NULL && *p != '\0') {
		515	if (ngrps >= MAX_MATCH_GROUPS) {
		516	error("line %d: too many groups in Match Group", line);
		517	result = -1;
		518	goto out;
		519	}
		520	grplist[ngrps++] = p;
		521	}
		522
		523	if (user == NULL)
		524	goto out;
		525
		526	if ((pw = getpwnam(user)) == NULL) {
		527	debug("Can't match group at line %d because user %.100s does "
		528	"not exist", line, user);
		529	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
		530	debug("Can't Match group because user %.100s not in any group "
		531	"at line %d", user, line);
		532	} else if (ga_match(grplist, ngrps) != 1) {
		533	debug("user %.100s does not match group %.100s at line %d",
		534	user, arg, line);
		535	} else {
		536	debug("user %.100s matched group %.100s at line %d", user,
		537	arg, line);
		538	result = 1;
		539	}
		540	out:
		541	ga_free();
		542	xfree(arg);
		543	return result;
		544	}
		545
		546	static int
500	match_cfg_line(char *condition, int line, const char user, const char *host,	547	match_cfg_line(char *condition, int line, const char user, const char *host,
501	const char *address)	548	const char *address)
502	{	549	{
@@ -527,6 +574,13 @@ match_cfg_line(char *condition, int line, const char user, const char *host,
527	else	574	else
528	debug("user %.100s matched 'User %.100s' at "	575	debug("user %.100s matched 'User %.100s' at "
529	"line %d", user, arg, line);	576	"line %d", user, arg, line);
		577	} else if (strcasecmp(attrib, "group") == 0) {
		578	switch (match_cfg_line_group(arg, line, user)) {
		579	case -1:
		580	return -1;
		581	case 0:
		582	result = 0;
		583	}
530	} else if (strcasecmp(attrib, "host") == 0) {	584	} else if (strcasecmp(attrib, "host") == 0) {
531	if (!host) {	585	if (!host) {
532	result = 0;	586	result = 0;